On Fri, Apr 06, 2001 at 09:33:04PM -0400, Randy Kramer wrote:
> Now, I may be wrong in my understanding, but, for a moment, please
> assume I'm right. If I am right, and the security provided by a
> passwordless ssh connection is just as good as, for example, PGP (assume
> I'm right about that too, please, for a moment), then do you still have
> concerns about ssh passwordless security?
The net-net is:
On the box accepting the connection w/o a password from another box with
the private key, the security of the accepting box is _only_ as good as
the account on the originating box.
If the originating box is secure, then the passwordless ssh is also
secure.
The issue isn't really cracking ssh (for most applications), but rather
whether or not you want the possibility that someone might crack your
'master' account and thus have your private key and passwordless access
to some other number of boxes.
As for implementing ssh inside of rsync, I'd like to continue to reiterate
what a bad idea I think that is. Security is enough pain without worrying
about every program carrying its own security model and implementation (and
possible exploits).
-drew
--
M. Drew Streib <[EMAIL PROTECTED]>, http://dtype.org
"Email sigs waste valuable bandwidth."
PGP signature
